RedSun Zero-Day: Researcher Drops Second Microsoft Defender Exploit in Two Weeks, Granting Full SYSTEM Access

Original research credited to Bleeping Computer and researcher "Chaotic Eclipse." CypherByte analysis represents independent assessment of the disclosed vulnerability and its broader implications.

Executive Summary

A security researcher operating under the pseudonym "Chaotic Eclipse" has released a public proof-of-concept (PoC) exploit for a second Microsoft Defender zero-day vulnerability within a two-week window, this one dubbed "RedSun." Unlike opportunistic bug drops, this disclosure carries a deliberate message: the researcher has explicitly framed the release as a protest against Microsoft's handling of vulnerability research relationships and what they characterize as dismissive or non-collaborative engagement with independent security contributors. The exploit, as reported by Bleeping Computer, demonstrates a privilege escalation path that elevates an attacker's access to SYSTEM-level privileges on affected Windows endpoints — the highest privilege tier available to a user-space process on the Windows operating system.

Security teams responsible for enterprise Windows environments, managed security service providers (MSSPs), and organizations relying on Microsoft Defender as their primary or sole endpoint protection layer should treat this disclosure with immediate urgency. The fact that a functional PoC exists in the public domain — unaccompanied by a patch, CVE assignment, or official Microsoft advisory at the time of writing — significantly compresses the window between disclosure and weaponization. Threat actors actively monitor public repositories and security news feeds for exactly this kind of actionable, unmitigated exploit code. The combination of a trusted, deeply integrated security product as the attack surface and the granting of SYSTEM privileges as the outcome makes RedSun a particularly high-consequence disclosure.

Technical Analysis

While the full technical internals of the RedSun exploit are still being assessed by the research community, the core mechanism reported centers on a privilege escalation vulnerability within the Microsoft Defender service architecture. Microsoft Defender, by architectural necessity, operates with elevated privileges — its scanning engine, real-time protection components, and service processes run under highly privileged contexts (NT AUTHORITY\SYSTEM or equivalent) to access protected system areas, kernel memory regions, and low-level file system operations. This design choice, necessary for effective malware detection, simultaneously makes Defender's attack surface extraordinarily valuable to adversaries: any exploitable flaw in the service can be leveraged not just to disable protections, but to inherit those elevated privileges entirely.

The RedSun PoC appears to exploit a flaw in the way Defender's privileged service processes handle specific inputs or interactions accessible from a lower-privileged user context. This class of vulnerability — where a high-privilege service inadequately validates or isolates interactions initiated by unprivileged callers — is sometimes described as a confused deputy attack variant. By crafting a specific sequence of operations or inputs that the Defender service processes under its own elevated token, a local attacker running as a standard user can coerce the service into performing actions on their behalf at SYSTEM level. The result is a reliable local privilege escalation (LPE) primitive. In a post-exploitation context, this is precisely the kind of capability that transforms limited initial access — a phishing foothold, a compromised low-privilege account — into full endpoint compromise. The public availability of a working PoC removes the technical barrier that would otherwise limit exploitation to sophisticated threat actors.

The irony embedded in this disclosure is technically significant and should not be overlooked: Microsoft Defender itself — the tool deployed to stop exactly this kind of attack — is the vehicle through which full system compromise is achieved. An attacker exploiting RedSun does not need to bypass Defender; they exploit it. This undermines the fundamental trust model that enterprises place in endpoint detection and response (EDR) tools and raises important questions about the security posture of deeply privileged security software.

Impact Assessment

The affected surface is extraordinarily broad. Microsoft Defender is the default endpoint security solution for all modern Windows installations, including Windows 10 and Windows 11 across consumer, enterprise, and government deployments. Organizations that have not deployed a third-party AV solution — and even many that have, as Defender often coexists alongside other tools — are potentially exposed. Server environments running Windows Server with Defender enabled, which includes a substantial proportion of enterprise infrastructure, are equally at risk. Remote work endpoints, developer workstations, and kiosk systems running standard user accounts represent the most immediately accessible targets, as the exploit path requires only local access rather than a network-facing attack vector.

Real-world consequences of successful exploitation range from complete endpoint takeover and credential harvesting to security tool tampering and ransomware pre-positioning. In Active Directory environments, a SYSTEM-privileged process can facilitate Kerberoasting, DCSync attacks, and Group Policy manipulation. For organizations operating in regulated industries — healthcare, finance, critical infrastructure — the downstream compliance and breach notification implications of an unmitigated SYSTEM-level compromise are severe. The lack of a vendor patch or CVE ID means standard vulnerability management workflows cannot yet track or prioritize this risk, creating a blind spot in most enterprise security programs.

CypherByte's Perspective

The RedSun disclosure crystallizes a tension that has existed in the security research ecosystem for years: what happens when the coordinated disclosure process breaks down? Researchers invest significant time and technical skill identifying vulnerabilities that protect millions of users. When vendors are perceived as dismissive, slow, or non-collaborative, the incentive structure that underpins responsible disclosure erodes. "Chaotic Eclipse" has chosen a form of protest that carries real collateral risk to the very users they may intend to protect — or may be attempting to pressure vendors into protecting faster. Neither interpretation is comfortable.

From a systemic perspective, this incident reinforces a critical principle: no single security control should be trusted unconditionally. Microsoft Defender is a capable and broadly effective tool, but its elevated operational privilege makes it a high-value target that adversaries — and now researchers — are actively probing. Defense-in-depth, least-privilege architectures, and layered detection strategies are not optional enhancements; they are essential mitigations for exactly this scenario. Security teams should also internalize that the cadence of vulnerability research is accelerating. A two-week gap between two zero-day disclosures from the same researcher signals an inventory, not a one-time event.

Indicators and Detection

Given the absence of official vendor signatures, defenders must rely on behavioral indicators. The following represent the most actionable detection opportunities for RedSun-style exploitation:

Process Lineage Anomalies: Monitor for unexpected processes spawned with SYSTEM token integrity from parent processes associated with Microsoft Defender service binaries (MsMpEng.exe, MpCmdRun.exe, SecurityHealthService.exe). Any interactive shell, scripting engine, or network tool inheriting from these parents warrants immediate investigation.

Token Impersonation and Privilege Escalation Events: Windows Security Event ID 4672 (Special privileges assigned to new logon) combined with Event ID 4624 (Logon) where the resulting session carries SYSTEM-level privileges and originates from a non-administrative user context represents a high-fidelity indicator of privilege escalation activity.

Defender Service Interaction Anomalies: Unusual COM object instantiation, named pipe access, or inter-process communication directed at Defender service processes from unprivileged user-space processes should trigger alerting, particularly in environments with mature EDR telemetry.

PoC Repository Monitoring: Threat intelligence teams should maintain active monitoring of public repositories (GitHub, GitLab, Pastebin variants) for the RedSun keyword alongside Microsoft Defender exploit tooling. Operational variants are likely to emerge within days of PoC availability.

Recommendations

1. Activate Enhanced Monitoring Immediately. Security operations teams should implement or verify detections for the process lineage and privilege escalation indicators described above. Treat any Defender-parented SYSTEM-privileged shell as a confirmed compromise until proven otherwise.

2. Apply Defense-in-Depth Layering. Do not rely solely on Microsoft Defender for endpoint protection. Supplementary EDR products that monitor at the kernel or hypervisor level provide detection coverage that a compromised Defender instance cannot suppress. Evaluate current tooling gaps urgently.

3. Enforce Least Privilege Across Endpoints. Ensure end-user accounts operate as standard users without local administrator rights. While RedSun requires only local access rather than administrator rights to function, restricting what an attacker can do after escalating limits the blast radius significantly.

4. Accelerate Patch Deployment Readiness. When Microsoft releases a patch — whether via an out-of-band security update or a Patch Tuesday release — your organization must be capable of deploying it within hours, not days. Review and test your emergency patching pipeline now, before the fix exists.

5. Monitor Microsoft Security Advisories Continuously. Subscribe to Microsoft's Security Response Center (MSRC) feeds and maintain a dedicated watch for any advisory referencing Microsoft Defender privilege escalation. Given the public PoC, an accelerated response from Microsoft is expected.

6. Brief Executive and Legal Stakeholders. The combination of a public PoC, no available patch, and SYSTEM-level impact warrants escalation beyond the security team. Ensure organizational leadership understands the current risk posture and the potential for rapid weaponization by ransomware operators and nation-state actors.

CypherByte will continue monitoring this vulnerability and will publish updated analysis as new technical details, patches, or threat actor activity emerge. Original reporting by Bleeping Computer; independent analysis by the CypherByte Research Team.